With the massive expansion of the Internet and online collection of personal information, privacy is a real concern these days. Your nonprofit organization’s privacy policy is the first step in an overall approach to responsibly collecting, sharing and safeguarding the information you obtain: it is a pledge to your donors and supporters to maintain their confidentiality. Having an up-to-date privacy policy is also considered “good governance” – as an example, the most recent NYC Good Governance Blueprint – recommends that nonprofit organizations “develop, publish, implement, and monitor implementation of its privacy policy.”
So how should one go about drafting a website privacy policy? The Federal Trade Commission advises that when drafting your privacy policy “say what you mean and mean what you say.” The first part is easy – you need to have a global understanding of what your organization does with the information it collects. For example, do you share information with third parties, use cookies and other web tracking technologies, or send promotional emails? Whatever the practices, they need to be clearly described in your privacy policy.
The second part, “do what you say”, is more of a challenge. Simply stating the policy is not enough – you must adhere to the policies and procedures as described. Your organization will be held accountable for any failure to meet its own written standards, thus it’s imperative that everyone in the organization understand what they should be doing – and equally important, what they should not be doing. There are useful tools and approaches for assessing and monitoring such adherence that you may consider adopting, such as a data privacy audit.
Finally, your privacy policy must keep pace with your practices and with changing law. Web technologies, marketing strategies and other internal practices change regularly. If the marketing department concludes that a monthly e-newsletter to donors is essential, that’s fine, but make sure that this is addressed in the privacy policy. Unfortunately, many organizations do not routinely update their privacy policies to keep pace with such changes.
Additionally, the laws applying to privacy practices are in constant flux. As an example, The General Data Protection Regulation (GDPR) issued by the European Union (EU) became effective May 25, 2018. Although some organizations have adopted privacy processes and procedures in response to the regulations, many are still unclear as to the impact upon their organizations, and the steps necessary to comply. In regard to your privacy policy, GDPR does require that you include specific provisions and “right” in your online privacy policy. Failure to comply could result in significant fines and penalties.
As someone who routinely reviews and drafts privacy policies, I am keenly aware at how quickly these privacy policies can become “outdated.” If you have a professionally drafted privacy policy, make sure that it is reviewed, followed and updated on an annual basis. If you are like many organizations and have an outdated and/or inadequate privacy policy, then revising should be a top priority. The investment today will go a long way in honoring the commitment to the privacy your supporters expect and deserve.